Deception-based responses to security attacks

ABSTRACT

Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.

BACKGROUND

With Internet use forming an ever greater part of day to day life,security exploits that steal or destroy system resources, data, andprivate information are an increasing problem. Governments andbusinesses devote significant resources to preventing intrusions andthefts related to these security exploits. Security threats come in manyforms, such as computer viruses, worms, trojan horses, spyware,keystroke loggers, adware, and rootkits. These threats typically employsecurity exploits, which are the weaponization of an attack against aspecific vulnerability in software. These threats are delivered in orthrough a number of mechanisms, such as spearfish emails, clickablelinks, documents, executables, or archives. Some of the threats posed bysecurity exploits are of such significance that they are described ascyber terrorism or industrial espionage.

To meet the threat posed by these security exploits, many securitysolutions, such as antivirus software, have been developed. Typically,these solutions scan a computing device, determine if the device isaffected by a security threat, and block or remove the security threat.While blocking and removing counter the immediate threat, they are easyfor an adversary purveying the security vulnerability to overcome. Theaffected user is then left always one step behind, always reacting toactions taken by an adversary rather than taking steps to prevent futureintrusions and thefts by the adversary.

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description is set forth with reference to the accompanyingfigures. In the figures, the left-most digit(s) of a reference numberidentifies the figure in which the reference number first appears. Theuse of the same reference numbers in different figures indicates similaror identical items or features.

FIG. 1 illustrates an example network connecting a security service toclient devices, the security service providing deception-basedtechniques for responding to attacks affecting the client devices.

FIG. 2 illustrates an example process for transitioning an attack todevice monitored device posing as the computing device impacted by theattack and enabling the attack to obtain deceptive information from themonitored device.

FIG. 3 illustrates an example process for configuring a document toreport identifying information of an entity opening the document toenable determination of whether an unauthorized entity is in possessionof the document.

FIG. 4 illustrates an example process for determining that a domainspecified in a domain name request is associated with malicious activityand responding to the request with a network address of an monitoreddevice to cause the requesting process to communicate with the monitoreddevice in place of an adversary server.

FIG. 5 illustrates an example process for monitoring dormant domainsnames associated with malicious activity and, in response to a change,responding with an alert or a configuration update.

FIG. 6 illustrates a component level view of a computing device capableof acting as a security service device, a client device, or a monitoreddevice.

DETAILED DESCRIPTION

Overview

This disclosure describes, in part, deception-based techniques forresponding to attacks. The techniques include transitioning an attack toa monitored computing process or device (referred to herein as a“monitored device”) that is posing as the computing device impacted bythe attack and enabling the adversary associated with the attack toobtain deceptive information from the monitored device. The techniquesalso include identifying the adversary associated with the attack byconfiguring a document to report identifying information when anunauthorized entity opens the document. Further, the techniques includedetermining that a domain specified in a domain name request isassociated with malicious activity and responding to the request with anetwork address of a monitored computing process or device (referred toherein as a “monitored server” or a “monitored device”) to cause therequesting process to communicate with the monitored server in place ofan adversary server. Additionally, the techniques include monitoringdormant domains names associated with malicious activity and, inresponse to a change in name resolution or registration, responding withan alert or a configuration update.

In various embodiments, a security service may implement or enable anyone or more of the deception-based techniques. In a first set oftechniques, the security service may utilize monitored devices to runand monitor attacks and to use those attacks to provide deceptiveinformation to an adversary. The adversary may then spend time andeffort working on the deceptive information without realizing that theattack has been blocked. Future attacks are thus inhibited as theattacked gains the advantage over the attacker.

When first detecting an attack, a security agent or the security servicemay block processing of the attack by the impacted device. The securityservice then transitions the attack to the monitored device andprocesses the attack on that monitored device. The monitored deviceposes as the impacted computing device and is configured with a virtualimage of the impacted computing device to enable a convincing pose. Thesecurity service then monitors activities and communications of theattack and uses information gained from the monitoring to improvedeception capabilities and security agent configurations. The securityservice also enables an entity associated with the impacted computingdevice to provide deceptive information to be included on the monitoreddevice. For example, if the adversary is a negotiation partner for abusiness deal attempting to illicitly acquire an entity's negotiatingstrategy, the entity could provide a false strategy for inclusion on themonitored device.

In a second set of techniques, the security service uses beaconing toidentify the adversary, thus enabling better targeting of deceptiveinformation. The security service embeds executable instructions in adocument that causes the document to report identifying information tothe security service when opened. The security service may also orinstead embed a link in the document that causes a request to amonitored network address (e.g., when the document is opened and thelink is clicked). The security service is then able to receive thereport or request to the monitored network address, determine from itwhether the opener is an unauthorized adversary, and determinecharacteristics of the adversary, such as geographic location. Thesecharacteristics can be used to craft better deceptive information ormore convincing monitored devices or monitored servers. The securityservice may also alert a user or security agent program of theunauthorized possession or update a security agent programconfiguration.

In a third set of techniques, the security service detects the presenceof a attack through the attack's specification of a suspicious domainname in a domain name resolution request. In response, the securityservice deceives the adversary associated with the attack by respondingto the request with a network address of an monitored server, themonitored server posing as an adversary server. The monitored serverthen gathers information from the attack that may be utilized to enhancethe effectiveness of other deception techniques, such as improving thedeceptive information made available through a monitored device. Also,the security service may alert at least one of a security agent or usersof an entity impacted by the attack. In some embodiments, the securityservice may then transition the attack to a monitored device and performthe above described first set of deception techniques.

In a fourth set of techniques, the security service monitors dormantdomain names that have previously been used in connection with maliciousactivity. By monitoring the domain names for changes in name resolutionor registration, the security service may be prepared, having monitoreddevices or monitored servers ready to use when a attack utilizes one ofthese monitored domain names. With such techniques, the security servicemay also perform additional actions, such as detecting other dormantdomains and monitoring them, or responding to the change in nameresolution or registration by providing an alert or a configurationupdate.

Example Network

FIG. 1 illustrates an example network connecting a security service toclient devices, the security service providing deception-basedtechniques for responding to attacks impacting the client devices. Asillustrated in FIG. 1, a network 102 connects client devices 104 of aclient network 106 to a security service 108 of a security servicenetwork 110. The security service 108 may configure the client devices104 with security agents 112, the security agents 112 being capable ofdetecting attacks 114 of an adversary 116 that are directed at one ormore of the client devices 104. In response, the security service 108may transition the attack to a monitored device 118 included in theclient network 106 or an monitored device 120 included in the securityservice network 110. The monitored device 118/120 may pose as the clientdevice 104 that the attack is directed at and may be configured with avirtual image of that client device 104. The monitored device 118/120may also include deceptive information 122 for the attack 114 to obtainand provide to the adversary 116. The attack 114 may provide thedeceptive information 122 to one or both of a command-and-control (C2)server 124 of the adversary 116 or an exfiltration server 126 of theadversary 116. In some embodiments, the security service 108 may alsoreceive a redirection domain name resolution request made by the attack114 and may respond to the request by identifying an monitored server128 included in the client network 106 or an monitored server 130included in the security service network 110, the monitored server128/130 posing as the C2 server 124 or exfiltration server 126 to theattack 114.

In various embodiments, devices of the security service 108 may includemodules and data 132-146 that enable the security service 108 to performthe operations described herein. These modules and data 132-146 includea monitoring module 132, a deception module 134, a beaconing module 136,a domain name service (DNS) redirection module 138, an dormant domainrepository 140, a response module 142, an analysis module 144, and aconfiguration module 146.

In some embodiments, the network 102, client network 106, and securityservice network 110 may each include any one or more networks, such aswired networks, wireless networks, and combinations of wired andwireless networks. Further, the network 102, client network 106, andsecurity service network 110 may include any one or combination ofmultiple different types of public or private networks (e.g., cablenetworks, the Internet, wireless networks, etc.). For example, thenetwork 102 may be a public network and the client network 106 andsecurity service network 110 may each be a private network. In someinstances, computing devices communicate over the network 102, clientnetwork 106, and security service network 110 using a secure protocol(e.g., https) and/or any other protocol or set of protocols, such as thetransmission control protocol/Internet protocol (TCP/IP). Further, eachof the client network 106 and security service network 110 may beassigned a block of network addresses, such as IP addresses.

In various embodiments, the client devices 104, the computing devices ofthe security service 108, the monitored device 118/120, and themonitored server 128/130 may each be or include a server or server farm,multiple, distributed server farms, a mainframe, a work station, apersonal computer (PC), a laptop computer, a tablet computer, a personaldigital assistant (PDA), a cellular phone, a media center, an embeddedsystem, or any other sort of device or devices. In one implementation,the computing devices of the security service 108 represent a pluralityof computing devices working in communication, such as a cloud computingnetwork of nodes. When implemented on multiple computing devices, thesecurity service 108 may distribute the modules and data 132-146 of thesecurity service 108 among the multiple computing devices. In someimplementations, one or more of the client devices 104, the computingdevices of the security service 108, the monitored device 118/120, andthe monitored server 128/130 represent one or more virtual machinesimplemented on one or more computing devices. An example computingdevice capable of serving as a client device 104, a computing device ofthe security service 108, the monitored device 118/120, or the monitoredserver 128/130 is illustrated in FIG. 6 and described below withreference to that figure.

In various embodiments, the client devices 104 and client network 106may be associated with an entity, such as a business, government, orother organization, or may be associated with a single user or groups ofusers. That entity or those user(s) may subscribe for security serviceswith the security service 108, which may monitor activities on clientdevices 104 of the entity/user(s). In some embodiments, that monitoringmay involve installing security agents 112 on the client devices 104 tomonitor execution activities of the client devices 104 and to report onthose activities to the security service 108. In other embodiments, thesecurity service 108 may instead rely on scanning the client devices 104from a security service scanner or rely on a third party securityproduct or service to detect attacks and communicate them to thesecurity service 108.

Each client device 104 may be any sort of computing device, as describedabove. Each client device 104 may be configured with an operatingsystem, applications, folders, files, and desktop screens. Further, eachclient device 104 may be associated with a user name of a user of thatclient device 104, a machine name of the client device 104, an operatingsystem version, desktop screens, folder names, preloaded files, andcomputer firmware versions.

In some embodiments, the security agent 112 may be a kernel-levelsecurity agent that observes and acts upon execution activities of itscorresponding client device 104. The security agent 112 may beconfigurable by the security service 108, receiving, and applying whilelive, reconfigurations of filters, components, models, etc. of thesecurity agent 112. Based on the observed execution activities, thesecurity agents 112 may generate security information which the securityagent 112 may act upon and/or provide to the security service 108. Anexample security agent 112 is described in greater detail in U.S. patentapplication Ser. No. 13/492,672, entitled “Kernel-Level Security Agent”and filed on Jun. 8, 2012.

As mentioned, attacks 114 may be directed at client devices 104. Suchattacks 114 comes in many forms, such as computer viruses, worms, trojanhorses, spyware, keystroke loggers, adware, and rootkits. These attacks114 are delivered in or through a number of mechanisms, such asspearfish emails, clickable links, websites, drive by exploits, QRcodes, Near Field Communications (NFC) triggered links, documents,executables, removable drives, or archives. The attacks 114 may bedetected by the security agents 112 or other security mechanism and maybe blocked or stopped from further processing. As mentioned furtherherein, the attacks 114 may then be transitioned to a monitored device118/120 by the security service 108.

In various embodiments, the security service 108 may be a provider ofinformation security services to client entities, such as maintenanceand configuration of the kernel-level security agents 112, threatmodeling, and/or remediation. In some embodiments, the security service108 may also provide social aspects to the security services, forminggroups of those client entities and automatically sharing securityinformation among the client entities 104 constituting a group.

In addition, as described above in some detail, the security service 108implements any of a number of deception techniques to respond to attacks114. The modules and data 132-146, monitored devices 118/120, andmonitored servers 128/130 may be operated and used by the securityservice 108 to carry out these techniques.

In various embodiments, the monitoring module 132 may be configured toperform monitoring operations associated with a number of thetechniques. For example, in associated with the first set of deceptiontechniques described above, the monitoring module 132 may be configuredto detect the presence or operation of attacks 114 on client devices 104or to receive automated or manual notifications from security agents 112of the presence or operation of attacks 114. In one embodiment,receiving the automated or manual notification may include retrievingthe attack from an information sharing system or portal to which theattack has been submitted. The information sharing system or portal mayhave received the attack from another entity that is different from theentity associated with client devices 104. In some embodiments, theattack 114 may be included in an email (e.g., as a link or attachment),and a user of the client device 104 may forward the email to thesecurity service 108. In response to detection or received notice, themonitoring module 132 may invoke the deception module 134.

The deception module 134 may take a number of actions to counter theattack 114. First, the deception module 134 may block processing (orhalt further processing) of the attack 114 by the affected client device104. In some embodiments, however, such blocking or halting may beaccomplished by the security agent 112 and need not involve thedeception module 134.

The deception module 134 may then configure a device on the clientnetwork 106 as a monitored device 118 or a device on the securityservice network 110 as a monitored device 120. To configure the device,the security service 108 may capture and apply a virtual image of theclient device 104. In some embodiments, the monitored device 118 may beimplemented in a virtual machine or partition of the client device 104(e.g., as an isolated sandbox). Such a virtual image may include anumber of attributes of the client device 104, such as its user name,machine name, operating system version, desktop screens, folder names,preloaded files or computer firmware versions. In other embodiments, thesecurity service 108 may receive this information from a user of theclient device 104 rather than capturing the virtual image. Ifconfiguring a device on the security service network 110, the deceptionmodule may utilize the Border Gateway Protocol (BGP) to have an IPaddress associated with the client network 106 assigned to the monitoreddevice 120, thereby enabling the monitored device 120 to convincinglypose as a device of the client network 106. After configuring the deviceto create a monitored device 118/120, the deception module 134 maytransition the attack 114 from the client device 104 to the monitoreddevice 118/120 and may process the attack 114 on the monitored device118/120.

By processing the attack 114 on the monitored device 118/120, thedeception module 134 enables monitoring of attack activities anddeception of the adversary 116. In some embodiments, the monitoringmodule 132 may monitor the activities of the attack 114 as it executes.For example, the monitoring module 132 may monitor commands and eventsissued by the adversary or monitor network activity, file activity,process activity, execution activity, registry activity, operatingsystem activity, firmware updates, kernel extensions, or loaded driversof the monitored device 118/120. The commands and events issued mayinclude keystrokes, mouse activity, or command line interface activity.Further, the monitoring module 132 may intercept and decodecommunications from the attack 114 to the adversary 116. The monitoringmodule 132 may decode the communications by determining the protocolthat the communications are using. If the protocol is not familiar, themonitoring module 132 may invoke the analysis module 144 to process theintercepted communications and determine the protocol used.

In some embodiment, the monitoring module 132 may further invoke theresponse module 142 to provide an alert to the security agents 112 orprovide human-consumable intelligence to the client entity/user(s).Alternatively or additionally, the monitoring module 132 or responsemodule 142 may invoke the configuration module 146 to reconfigure thesecurity agents 112 to address the attack 114. The reconfiguration maybe based on the activity of the attack 114 captured by the monitoringmodule 132. In some embodiments, the configuration module 146 maycorrelate attack activity information received from a number ofmonitored devices 118/120 and use these correlations in reconfiguringthe security agents 112. In some embodiments, the different monitoreddevices may be associated with different entities.

While the monitoring module 132 monitors activities of the attack 114,the deception module 134 may take actions to deceive the adversary 116.First, the deception module 134 may configure the monitored device118/120 to mimic user activity by for example, opening a browser window,generating keystrokes, etc. By mimicking user activity, the monitoreddevice 118/120 ensures that its pose will be convincing to an adversary116.

In addition to configuring the client device 104 to mimic user activity,the deception module 134 enables the client entity/user(s) to loaddeceptive information 122 onto the monitored device 118/120. Asmentioned above, the adversary 116 could be a competitor or enemyengaged in espionage, and the deceptive information 122 could pose asreal information, causing the adversary 116 to waste time and effortanalyzing the deceptive information 122. The deception module 134 alsoenables the attack 114 to obtain the deceptive information 122 and toprovide the deceptive information 122 to the adversary 116.

In some embodiments, the deception module 134 may maintain the monitoreddevice 118/120 and associated deception over an extended period of time(e.g., weeks, months, or years), feeding new deceptive information tothe adversary 116 through its attack 114 throughout the extended period.

In various embodiments, the beaconing module 136 may operateindependently of the monitoring module 132 and deception module 134.When a document is created on a client device 104, the beaconing module136 may configure the document to report identifying information of thedevice opening the document. Such identifying information may include atleast one of a network address, a geographic location, a universallyunique identifier (UUID), domain information, or derived/upstreamnetwork data. Derived/upstream network data may include upstream routernetwork addresses, network address translation (NAT) data, etc. Thebeaconing module 136 may achieve this configuration by embeddingexecutable instructions in the document that open a connection to thesecurity service 108 when the document is opened. Alternatively, thebeaconing module 136 may achieve this configuration by embedding a linkin the document that causes a request to be submitted to a monitorednetwork address. In some embodiments, the executable instructions mayspecify expected identifying information, such as an expected networkaddress or range or network addresses, and an expected geographiclocation or range of geographic locations. In such embodiments, thedocument may only establish a connection to the security service 108 orcause a request to be submitted to the monitored network address whenthe determined network address or geographic location of the documentopener differs from the expected address/location. In other embodiments,rather than the beaconing module 136 configuring the documents of theclient device 104, the security agents 112 may perform the configuring.

In further embodiments, the beaconing module 136 may receive the reportsor requests sent to the monitored network address from the documentsand, in response, determine whether the adversary 116 or some otherunauthorized entity/user is in possession of the documents. Thebeaconing module 136 may perform this determination based on expectedidentifying information such as an expected network address or expectedrange of network addresses, or based on expected geographic location(s).Such expected information may be received from the client entity/user(s)at the time of registration with the security service 108 or may bereceived from the security agents 112.

In some embodiments, when the document is determined to be possessed bythe adversary 116 or another unauthorized entity, the beaconing module136 may invoke the response module 142 to provide an alert to thesecurity agents 112 or provide human-consumable intelligence to theclient entity/user(s). Alternatively or additionally, the beaconingmodule 136 or response module 142 may invoke the configuration module146 to reconfigure the security agents 112 to address the exfiltrationof the document.

In various embodiments, the DNS redirect module 138 may operateindependently of the beaconing module 136. The DNS redirect module 138may configure a DNS server of the client network 106 to treat the DNSredirect module 138 as a higher-level DNS and to redirect domain nameresolution requests to the DNS redirect module 138. The DNS redirectmodule 138 may then receive domain name resolution requests and invokethe analysis module 144 to determine whether the domain names includedin the domain name resolution requests are associated with maliciousactivity. In some embodiments, the analysis module 144 makes thedetermination by determining whether a domain name is included in a listof known malicious or suspicious domains. The analysis module 144 mayalso or instead determine that the domain name is unfamiliar or isassociated with a specific geographic location (e.g., a known geographiclocation of a known adversary 116 or class or group of adversaries 116).

In some embodiments, when the analysis module 114 informs the DNSredirect module 138 that a domain name is associated with maliciousactivity, the DNS redirect module 138 invokes the deception module 134to configure a device in the client network 106 as an monitored server128 or a device in the security service network 110 as an monitoredserver 130. The monitored server 128/130 may pose as a C2 server 124 oran exfiltration server 126 of an adversary 116. To make the poseconvincing, the deception module 134 may configure the monitored server128/130 with a plurality of adversary protocols that may be used indecoding communications from a attack 114 that made the domain nameresolution request. The DNS redirect module 138 may then respond to thedomain name resolution request with a network address of the monitoredserver 128/130 to cause the attack 114 that made the domain nameresolution request to communicate with the monitored server 128/130.

In further embodiments, the DNS redirect module 138 may invoke theresponse module 142 to provide an alert to the security agents 112 orprovide human-consumable intelligence to the client entity/user(s).Alternatively or additionally, the DNS redirect module 138 or responsemodule 142 may invoke the configuration module 146 to reconfigure thesecurity agents 112 to address the exfiltration of the document.

Additionally, in some embodiments, the DNS redirect module 138 mayinvoke the deception module to configure a monitored device 118/120 andto transition the attack 114 to the monitored device 118/120. Suchtransitioning may take place after the attack 114 has communicated withthe monitored server 128/130 for some time period.

In various embodiments, the dormant domain name repository 140 may be arepository of dormant domain names that were previously associated withmalicious activity. The security service 108 may create the dormantdomain name repository 140 from other available repositories of dormantdomain names previously associated with malicious activity, byconstructing the dormant domain name repository 140 as suspiciousdormant domain names are detected, or some combination of both. Thesecurity agents 112 may be configured to identify as a suspicious,dormant domain name any locally-resolving domain name (e.g., resolves tonetwork address 127.0.0.1) or any irresolvable domain name. The securityagents 112 may inform the security service 108 of these, and thesecurity service 108 may add them to the dormant domain name repository140.

In some embodiments, the monitoring module 132 may monitor for changesto name resolutions or registrations of the domain names included in thedormant domain name repository 140. The monitoring module 132 mayperform this monitoring for changes periodically or continuously. Inresponse to detecting a change, the monitoring module 132 may furtherinvoke the response module 142 to provide an alert to the securityagents 112 or provide human-consumable intelligence to the cliententity/user(s). Alternatively or additionally, the monitoring module 132or response module 142 may invoke the configuration module 146 toreconfigure the security agents 112 to appropriately handle thenow-active domain names.

In some embodiments, the deception module 134 may also prepare monitoreddevices 118/120 or monitored servers 128/130 for each dormant domainname in the dormant domain names repository 140, in the manner described above.

In some instances, any or all of the client devices 104, the securityservice 108, the monitored device 118/120, or the monitored server128/130 may have features or functionality in addition to those thatFIG. 1 illustrates. For example, some or all of the functionalitydescribed as residing within any or all of the client devices 104, thesecurity service 108, the monitored device 118/120, or the monitoredserver 128/130 may reside remotely from that/those device(s).

Example Processes

FIGS. 2-5 illustrate example processes 200, 300, 400, and 500. Theseprocesses are illustrated as logical flow graphs, each operation ofwhich represents a sequence of operations that can be implemented inhardware, software, or a combination thereof. In the context ofsoftware, the operations represent computer-executable instructionsstored on one or more computer-readable storage media that, whenexecuted by one or more processors, perform the recited operations.Generally, computer-executable instructions include routines, programs,objects, components, data structures, and the like that performparticular functions or implement particular abstract data types. Theorder in which the operations are described is not intended to beconstrued as a limitation, and any number of the described operationscan be combined in any order and/or in parallel to implement theprocesses.

FIG. 2 illustrates an example process for transitioning an attack to anmonitored device posing as the computing device impacted by the attackand enabling the adversary associated with the attack to obtaindeceptive information from the monitored device. The process 200includes, at 202, receiving, by a security service, automated or manualnotification of an attack directed at a computing device. In someembodiments, receiving the automated or manual notification may compriseretrieving the attack from an information sharing system or portal towhich the attack has been submitted. The attack may be one of aspearfish email, a clickable link, a website, a drive by exploit, a QRcode, a Near Field Communications (NFC) triggered link, a document, anexecutable, a removable drive, or an archive. Further, the notificationmay be received from a user forwarding the attack or from a securityagent monitoring the computing device.

At 204, the security service blocks processing of the attack by thecomputing device that the attack is targeted at.

At 206, the security service transitions the attack to a monitoreddevice, the monitored device configured to pose as the affectedcomputing device to an adversary associated with the attack. Themonitored device may be a physical machine or virtual machine configuredwith a virtual image of the computing device. The virtual image mayinclude at least one or more of a user name, a machine name, anoperating system version, desktop screens, folder names, preloaded filesor computer firmware versions associated with the affected computingdevice. Also, monitored device may be located on a network of an entityassociated with the impacted computing device or implemented remotely bythe security service. If implemented remotely, the monitored device maybe assigned a network address associated with the entity. Further, themonitored device may mimic user activity.

At 208, the security service processes the attack on the monitoreddevice. While processing the attack, the security service may, at 210,monitor commands and events issued by the adversary or monitor networkactivity, file activity, process activity, execution activity, registryactivity, operating system activity, firmware updates, kernelextensions, or loaded drivers of the monitored device. The commands andevents issued may include keystrokes, mouse activity, or command lineinterface activity. At 212, the security service correlates informationobtained from monitoring attacks on multiple monitored devices. At 214,while monitoring, the security service intercepts and decodescommunications from the attack to the adversary system. At 216, thesecurity service updates configuration of security agent implemented onthe affected device based at least in part on the monitoring or provideshuman-consumable intelligence.

At 218, the security service enables an entity associated with theaffected computing device to load deceptive information onto themonitored device posing as that impacted device. At 220, the securityservice may then enable the adversary associated with the attack toobtain the deceptive information. In some embodiments, the monitoring ofthe attack and the enabling of it to provide deceptive information mayoccur over an extended period of time (e.g., weeks, months, or years).While performing the enabling at 220, the security service may receiveintelligence from the adversary about at least one of the adversary'stools, tactics, techniques, or procedures.

FIG. 3 illustrates an example process for configuring a document toreport identifying information of an entity opening the document toenable determination of whether an unauthorized entity is in possessionof the document. The process 300 includes, at 302, configuring adocument to report identifying information of a device opening thedocument to the security service. Such identifying information mayinclude at least one of a network address, a geographic location, auniversally unique identifier (UUID), domain information, orderived/upstream network data. In some embodiments, the configuringincludes embedding executable instructions in the document. Theexecutable instructions embedded in the document may be configured toopen a connection to the security service and to perform the reportingbased at least in part on whether the identifying information differsfrom identifying information embedded in the document. Alternatively,the configuring may include embedding a link in the document that causesa request to be submitted to a monitored network address.

At 304, the security service may receive a report associated with thedocument, the report including the identifying information.

At 306, the security service may determine, based on the at least one ofthe identifying information, that unauthorized entity is in possessionof the document.

At 308, the security service may alert an entity associated with thedocument of the possession by the unauthorized entity.

FIG. 4 illustrates an example process for determining that a domainspecified in a domain name request is associated with malicious activityand responding to the request with a network address of an monitoredserver to cause the requesting process to communicate with the monitoredserver in place of an adversary server. The process 400 includes, at402, redirecting a domain name resolution request from a domain nameserver associated with a device or entity implementing a process thatsubmitted the domain name resolution request.

At 404, a security service receives the redirected domain nameresolution request.

At 406, the security service determines that a domain name included inthe domain name resolution request is indicative of malicious activity.In some embodiments, the determining comprises determining whether thedomain name is included in a list of known malicious or suspiciousdomains. The determining may also or instead comprise determining thatthe domain name is unfamiliar, is associated with a specific geographiclocation, or is associated with a specific entity.

At 408, the security service responds to the domain name resolutionrequest with a network address of a monitored server to cause therequesting process to communicate with the monitored server in place ofan adversary server. In some embodiments, the monitored server poses asan adversary command-and-control system or an adversary exfiltrationsystem to the requesting process, the requesting process being a attack.Also, the monitored server may decode the communications from therequesting process. Further, the monitored server may determine that therequesting process is utilizing a new protocol to encode thecommunications and analyze the communications to learn the new protocol.

At 410, the security service alerts at least one of a security agent orusers of an entity affected by an attack associated with the requestingprocess.

At 412, the security service transitions an attack associated with therequesting process to an monitored device, the monitored device posingas the computing device impacted by the attack.

FIG. 5 illustrates an example process for monitoring dormant domainsnames associated with malicious activity and, in response to a change,responding with an alert or a configuration update. The process 500includes, at 502, detecting suspicious domain names to add to arepository of dormant domain names by identifying whether the domainname resolves to local network address, whether the domain name resolvesto non-routable network address, or whether the domain name fails toresolve and then ascertaining whether the domain name is associated withmalicious activity. Dormant domain names associated with maliciousactivity are then added to the repository.

At 504, a security service associated with the repository monitors forchanges to name resolutions or registrations of domain names included inthe repository. The monitoring may include continuously or periodicallyresolving the dormant domain names to determine if their nameresolutions have changed.

At 506, the security service associates a monitored server with one ofthe dormant domain names and, in response to the dormant domain namebecoming active, responds to domain name resolution requests specifyingthe now-active domain name with a network address of the monitoredserver.

At 508, the security service may perform at least one of updating asecurity agent configuration or alerting a security service user basedon the detected changes.

Example System

FIG. 6 illustrates a component level view of a computing device capableof acting as a security service device, a client device, an monitoreddevice, or an monitored server. As illustrated, computing device 600comprises a system memory 602 storing modules and data 604. Also,computing device 600 includes processor(s) 606, a removable storage 608and non-removable storage 610, input device(s) 612, output device(s) 614and communication connections 616 for communicating with other computingdevices 618.

In various embodiments, system memory 602 is volatile (such as RAM),non-volatile (such as ROM, flash memory, etc.) or some combination ofthe two. The modules or data 604 stored in the system memory 602 maycomprise methods, threads, processes, applications or any other sort ofexecutable instructions, such as the instructions utilized to performthe operations of the client devices 104, security service 108,monitored devices 118/120, or monitored servers 128/130. The modules anddata 604 may also include files and databases.

In some embodiments, the processor(s) 606 is a central processing unit(CPU), a graphics processing unit (GPU), or both CPU and GPU, or otherprocessing unit or component known in the art.

Computing device 600 also includes additional data storage devices(removable and/or non-removable) such as, for example, magnetic disks,optical disks, or tape. Such additional storage is illustrated in FIG. 6by removable storage 608 and non-removable storage 610. Tangiblecomputer-readable media may include volatile and nonvolatile, removableand non-removable media implemented in any method or technology forstorage of information, such as computer readable instructions, datastructures, program modules, or other data. System memory 602, removablestorage 608 and non-removable storage 610 are all examples ofcomputer-readable storage media. Computer-readable storage mediainclude, but are not limited to, RAM, ROM, EEPROM, flash memory or othermemory technology, CD-ROM, digital versatile disks (DVD) or otheroptical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed bythe computing device 600. Any such tangible computer-readable media maybe part of the computing device 600.

Computing device 600 also has input device(s) 612, such as a keyboard, amouse, a touch-sensitive display, voice input device, etc., and outputdevice(s) 614 such as a display, speakers, a printer, etc. These devicesare well known in the art and need not be discussed at length here.

Computing device 600 also contains communication connections 616 thatallow the computing device 600 to communicate with other computingdevices 618, such as others of the security service devices, the clientdevices, monitored devices, monitored servers, or adversary systems.

CONCLUSION

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter defined in the appended claims is notnecessarily limited to the specific features or acts described. Rather,the specific features and acts are disclosed as exemplary forms ofimplementing the claims.

What is claimed is:
 1. One or more non-transitory computer-readablemedia storing computer-executable instructions configured to program oneor more computing devices to perform operations comprising: configuringa document to send a report to the one or more computing devicesindicating that the document is opened on a device, the reportindicating identifying information of the device including at least oneof a network address of the device or a geographic location of thedevice; receiving the report; determining that the network address orthe geographic location in the report does not match a predefinedexpected network address or a predefined expected geographic location;determining that the identifying information in the report correspondsto an unauthorized entity, based on the determination that the networkaddress or the geographic location in the report does not match thepredefined expected network address or the predefined expectedgeographic location; and in response to determining that the identifyinginformation in the report corresponds to an unauthorized entity, sendingan alert to an authorized entity associated with the document indicatingthat the unauthorized entity has possession of the document.
 2. The oneor more non-transitory computer-readable media of claim 1, wherein theconfiguring includes embedding executable instructions or a link in thedocument.
 3. The one or more non-transitory computer-readable media ofclaim 2, wherein the link embedded in the document is configured tocause the report to be sent to a monitored network address associatedwith the one or more computing devices when the link is activated by thedevice.
 4. The one or more non-transitory computer-readable media ofclaim 2, wherein the executable instructions embedded in the documentcause a connection to be opened to the one or more computing deviceswhen the document is opened by the device.
 5. The one or morenon-transitory computer-readable media of claim 2, wherein theexecutable instructions embedded in the document specify at least one ofthe predefined expected network address or the predefined expectedgeographic location, and cause the report to be sent when the networkaddress of the device or the geographic location of the device differsfrom the at least one of the predefined expected network address or thepredefined expected geographic location.
 6. The one or morenon-transitory computer-readable media of claim 1, wherein theidentifying information indicated in the report further comprises atleast one of a universally unique identifier (UUID), domain information,or derived/upstream network data.
 7. A computer-implemented methodcomprising: configuring a document to send a report to one or morecomputing devices indicating that the document is opened on a device,the report indicating identifying information of the device including atleast one of a network address of the device or a geographic location ofthe device; receiving the report; determining that the network addressor the geographic location in the report does not match a predefinedexpected network address or a predefined expected geographic location;determining that the identifying information in the report correspondsto an unauthorized entity, based on the determination that the networkaddress or the geographic location in the report does not match thepredefined expected network address or the predefined expectedgeographic location; and in response to determining that the identifyinginformation in the report corresponds to an unauthorized entity, sendingan alert to an authorized entity associated with the document indicatingthat the unauthorized entity has possession of the document.
 8. Thecomputer-implemented method of claim 7, wherein the configuring includesembedding executable instructions or a link in the document.
 9. Thecomputer-implemented method of claim 8, wherein the link embedded in thedocument is configured to cause the report to be sent to a monitorednetwork address associated with the one or more computing devices whenthe link is activated by the device.
 10. The computer-implemented methodof claim 8, wherein the executable instructions embedded in the documentcause a connection to be opened to the one or more computing deviceswhen the document is opened by the device.
 11. The computer-implementedmethod of claim 8, wherein the executable instructions embedded in thedocument specify at least one of the predefined expected network addressor the predefined expected geographic location, and cause the report tobe sent when the network address of the device or the geographiclocation of the device differs from the at least one of the predefinedexpected network address or the predefined expected geographic location.12. The computer-implemented method of claim 7, wherein the identifyinginformation indicated in the report further comprises at least one of auniversally unique identifier (UUID), domain information, orderived/upstream network data.
 13. A system comprising: one or morehardware processors; memory storing computer-executable instructionsthat, when executed by the one or more processors, cause the one or moreprocessors to perform operations comprising: configuring a document tosend a report to one or more computing devices indicating that thedocument is opened on a device, the report indicating identifyinginformation of the device including at least one of a network address ofthe device or a geographic location of the device; receiving the report;determining that the network address or the geographic location in thereport does not match a predefined expected network address or apredefined expected geographic location; determining that theidentifying information in the report corresponds to an unauthorizedentity, based on the determination that the network address or thegeographic location in the report does not match the predefined expectednetwork address or the predefined expected geographic location; and inresponse to determining that the identifying information in the reportcorresponds to an unauthorized entity, sending an alert to an authorizedentity associated with the document indicating that the unauthorizedentity has possession of the document.
 14. The system of claim 13,wherein the configuring includes embedding executable instructions or alink in the document.
 15. The system of claim 14, wherein the linkembedded in the document is configured to cause the report to be sent toa monitored network address associated with the one or more computingdevices when the link is activated by the device.
 16. The system ofclaim 14, wherein the executable instructions embedded in the documentcause a connection to be opened to the one or more computing deviceswhen the document is opened by the device.
 17. The system of claim 14,wherein the executable instructions embedded in the document specify atleast one of the predefined expected network address or the predefinedgeographic location, and cause the report to be sent when the networkaddress of the device or the geographic location of the device differsfrom the at least one of the predefined expected network address or thepredefined expected geographic location.
 18. The system of claim 13,wherein the identifying information indicated in the report furthercomprises at least one of a universally unique identifier (UUID), domaininformation, or derived/upstream network data.